Bug 7911

Summary: SPF plugin does not recognise multiple results in a single Authentication-Results header
Product: Spamassassin Reporter: dbuergin
Component: PluginsAssignee: SpamAssassin Developer Mailing List <dev>
Status: NEW ---    
Severity: normal CC: apache
Priority: P2    
Version: 3.4.4   
Target Milestone: Undefined   
Hardware: PC   
OS: Linux   
Whiteboard:
Bug Depends on: 6918    
Bug Blocks:    

Description dbuergin 2021-05-22 13:08:38 UTC
RFC 8601 is the current specification of the Authentication-Results
header. According to section 4 of RFC 8601, multiple results may be
conveyed either in multiple Authentication-Results header fields or in a
single one:

> An MTA compliant with this specification adds this header field
> (after performing one or more message authentication tests) to
> indicate which MTA or ADMD performed the test, which test was
> applied, and what the result was.  If an MTA applies more than one
> such test, it adds this header field either once per test or once
> indicating all of the results.  An MTA MUST NOT add a result to an
> existing header field.

For SPF, I interpret this to mean that the following two forms are
equivalent:

1)

Authentication-Results: mail.example.org; spf=pass smtp.mailfrom=example.com
Authentication-Results: mail.example.org; spf=pass smtp.helo=mail.example.com

2)

Authentication-Results: mail.example.org;
  spf=pass smtp.helo=mail.example.com;
  spf=pass smtp.mailfrom=example.com

The SpamAssassin SPF plugin recognises both HELO and MAIL FROM results
in the first form shown above, but not in the second form. In the second
form it only recognises the last result.

The SPF plugin should treat both forms the same and should be able to
recognise both results in the second form, too.
Comment 1 Henrik Krohns 2021-05-22 13:57:27 UTC
I think AuthRes (Bug 6918) can correctly parse such in Bug 6918, so SPF.pm should just make use if it's results I think.